A new threat group called LUCR-3 has recently emerged and is causing concern within the cybersecurity community. This financially motivated group is specifically targeting Fortune 2000 companies in various industries, including Software, Retail, Hospitality, Manufacturing, and Telecoms. LUCR-3’s main objective is to steal intellectual property from these organizations and then extort them.
What sets LUCR-3 apart from other threat groups is their unique approach to gaining initial access to their victims’ networks. Instead of relying on traditional malware-based techniques, LUCR-3 uses existing identities to infiltrate the targeted organizations. They perform reconnaissance on the identities of potential victims, specifically targeting individuals who have the necessary access privileges for their exploitation. This method allows them to bypass security measures and gain a foothold within the victim’s network.
To acquire the necessary identities, LUCR-3 primarily relies on social engineering techniques. They engage in activities such as phishing, smashing, or purchasing credentials from the deep web marketplace. Their victims have predominantly been identified as Admins, Developers, Engineers, and members of the Security team. By impersonating these individuals, LUCR-3 gains access to critical systems and information.
Interestingly, the credentials used by LUCR-3 are legitimate and enable them to connect to the target network and applications. They may also employ techniques like SIM swapping, Push Fatigue, or phishing attacks to bypass multi-factor authentication (MFA) measures. In certain cases, the threat actors purchase access to the target network through insider threats. Once inside, LUCR-3 modifies MFA settings, such as registering a new device or adding alternative MFA options.
To better understand the organizations they target, LUCR-3 adopts a method similar to that of a regular employee. They view and search documents available in SharePoint, OneDrive, knowledge applications, ticketing solutions, and chat applications, which provide them with in-depth knowledge about the victim organization. When targeting organizations leveraging AWS, they exploit the billing and AWS management console to gain insights into the cloud infrastructure.
To maintain persistent access to compromised systems, LUCR-3 relies on various tools, such as device registration, alternate MFA settings, and strong authentication types. In the case of AWS, the threat actors create or update user, access, and login profiles. Additionally, LUCR-3 engages in defense evasion tactics, such as disabling GuardDuty and stopping logging and serial console access. They may also send deceptive emails related to helpdesk tickets, authentication key creations, access tokens, and OAuth to further their infiltration and evasion efforts.
To help organizations stay vigilant, Permisio has published a comprehensive report detailing the activities, tactics, and indicators of compromise associated with LUCR-3. The report serves as a valuable resource for organizations looking to better understand and protect themselves against this threat group.
It is crucial for organizations to remain informed about the latest cybersecurity news to ensure their systems and data are adequately protected. Following reputable sources such as Google News, Linkedin, Twitter, and Facebook can provide valuable insights into emerging threats and industry best practices. By staying updated and implementing robust security measures, organizations can mitigate the risk posed by threat groups like LUCR-3.